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Mail Stop RCE 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 



SIR: 



AMENDMENT 



This is responsive to the Office Action dated October 11, 2005 in connection with the 
above-referenced patent application. A petition and accompanying fee for a three month extension 
of time is enclosed herewith. 

Pursuant to the brief telephone call of today with the examiner, the undersigned 
attorney requests that prior to action on this amendment, the examiner telephone the 
undersigned to conduct a brief interview to further discuss the main prior art being relied 
upon. 
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addressed to the Mail Stop RCE, Commissioner for Patents, P. O. Box 1450, Alexandria, VA 223 13-1450 on the date below: 



Dated April 10.2006 



Signed 



Print Name Paula M. Halsev 



Amendments to the claims: 

1. (presently amended) A method of enforcing security policies in a data access system, said 
data access system having data access manageinent software in program memory, said method 
comprising: 

defining a first action as a first condition: 

d e termining that a second action should not talce plac e if said condition occurs; and 
upon occurrence of said first condition, placing a rule into data access management 
soflrware in said data access system, said rule testing for a second condition and precluding an 
action if said second condition is present, said rule being stored remotely and only loaded into 
program memory for the duration of said first condition, precluding said second action . 

2. (original) The method of claim 1 wherein said condition is effectuation of a first transaction by 
a user and said second action is the effectuation of a related transaction by the same user. 

3. (presently amended) The method of claim 1 wherein said first condition is effectuation of 
a first transaction by a first user in a particular role, and said second action is the eflfectuation of a 
second transaction and said second condition is that a specified user is associated with said second 
action, by a second us e r in a second role, th e roles being either the same or different . 

4. (presently amended) The method of claim 3 wherein the first user and the specified user are 
different, the role of th e first user and that of th e second user are diff e r e nt. 

5. (presently amended) The method of claim 2, fiirther comprising eliminating said rule from 
said data access management software immediately u pon rescinding of said condition. 

6. (presently amended) The method of claim 2 wherein a user attempting to effectuate said 
r e lated transaction second action is informed of said first condition or said second condition and 
advised automatically that said second action is prohibited, pending the relinquishment of th e 
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condition. 

7. (presently amended) The method of claim 2 wherein said first action is the ordering of 
goods or services and said second action is the payment for such goods or services and said second 
condition is the user attempting such payment is the same user ordering said goods or servies . 

8. (presently amended) Apparatus for enforcing security policies to increase security of data 
access management software, said apparatus comprising: 

a file of rules, said rules only being applicable to prevent specified data transactions by a 
first user upon the effectuation of specifi e d transactions to modify the data a specified action by 
said first user; 

software for recognizing that said first user has effected said specified action transaction , 

and 

means for reading said file, locating said rules to prevent said specified data transactions, 
and, upon occurrence of a- said specified action of said first user, integrating said rules into said 
data access management software such that said specified database data transactions are 
prohibited, wherein said rules are not integrated with said data access management software prior 
to said occurrence of said specified action . 

9. (original) Apparatus of claim 8 wherein ftirther comprising means for eliminating the rule 
from the data access management software at the conclusion of a predetermined time or upon a 
predetermined condition. 

10. (previously presented) A method of enforcing confidentiality in the form of a wall 
comprising the steps of: 

storing at least one rule that prohibits a knovm party from accessing specified information in 
a database or file if a first specified condition occurs; 
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upon a first specified condition occurring, modifying data access management software to 
include a rule that prohibits a known party from accessing specified information in a database or 
file; 

said first specified condition being indicative of said known party having knowledge of a 
particular set of information; and 

upon a second specified condition occurring, removing said rule from the data access 
management software and storing said rule for fiiture use, said specified second condition 
indicating that said knowledge is no longer sensitive. 

11. (original) The method of claim 10 wherein said rule is generated fi*om a template rule. 

12. (original) The method of claim 1 1 wherein said known party is defined as any individtial 
engaged in a predetermined role. 

13. (previously presented) The method of claim 10 wherein said known party is notified of the 
occurrence of said second condition. 

14. (original) The method of claim 13 wherein said notification is via email. 

15. (original) The method of claim 10 wherein said knowledge is no longer sensitive because 
it has been made public or because a predetermined time has passed. 

16. (original) The method of claim 1 wherein said rule is generated from a template rule. 

17. (previously presented) The method of claim 10 wherein some other individual, not the 
known party, is notified of the occurrence of said second condition. 

18. (previously presented) The method of claim 17 wherein said notification is via e-mail. 

19. (previously presented) The method of claim 11 wherein some other individual, not the 
known party, is notified of the occurrence of said second condition. 

20. (previously presented) The method of claim 19 wherein said notification is via e-mail. 
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2L (cancelled) 

22. (previously presented) The method of claim 1 1 wherein another individual, not the known 
party, is notified when the known party attempts the prohibited second action more than once. 

23. (previously presented) The method of claim 10 wherein another individual, not the known 
party, is notified when the known party attempts to access said specified information in the 
database more than once. 

24. (previously presented) The method of claim 23 wherein the notification is via e-mail. 

25. (original) The method of claim 22 wherein the notification is via e-mail. 

26. (previously presented) The method of claim 23 wherein said another individual is the users 
manager or supervisor. 

27. (previously presented) The method of claim 23 wherein said another individual is 
responsible for data security. 

28. (previously presented) The method of claim 22 wherein said another individual is the users 
manager or supervisor. 

29. (previously presented) The method of claim 22 wherein said another individual is 
responsible for data security. 

30. (previously presented) The apparatus of claim 9 wherein the eliminated rule is saved in an 
audit log. 

31. (previously presented) The method of claim 10 wherein the removed rule is saved in an 
audit log. 

32. (previously presented) The method of claim 1 wherein the rule is not loaded until a 
specified user logs on to the system. 

33. (previously presented) The method of claim 1 wherein the rule is only tested for a specified 
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user. 

34. (previously presented) The method of claim 10 wherein the rule is not loaded until a 
specified user logs on to the system. 

35. (previously presented) The method of claim 10 wherein the rule is only tested for a 
specified user. 

36. (previously presented) The method of claim 3 wherein the rule is not loaded until a user in 
a specified role logs on to the system. 

37. (previously presented) The method of claim 3 wherein the rule is only tested for a user in 
a specified role. 

38. (previously presented) The method of claim 12 wherein the rule is not loaded until a user 
in a specified role logs on to the system. 

39. (previously presented) The method of claim 12 wherein the rule is only tested for a user in 
a specified role. 

40. (original) The method of claim 1 wherein the security policy is separation of duties. 

41. (original) The method of claim 1 wherein the security policy is compliance to regulation. 

42. (original) The method of claim 1 wherein the security policy is privacy of data. 

43. (previously presented) The method of claim 23 wherein said another individual is a 
computer process. 

44. (previously presented) The method of claim 22 wherein said another individual is a 
computer process. 

45. (previously presented) The method of claim 1 wherein said rule is generated upon occurrence 
of said condition. 
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46. (previously presented) The apparatus of claim 8 further comprising means for generating said 
rules upon occurrence of said specified action of said first user. 

47. (previously presented) The method of claini 10 wherein said rule is generated upon 
occurrence of said first specified condition. 
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REMARKS 

This is responsive to the Ofifice Action dated October 11, 2005 in the above identified 
application. A petition for a 3 month extension of time is enclosed, along with the appropriate fee. 

The present invention teaches a novel technique in implementing security policy rules. The 
present invention stores the rules separately from the main software, and only loads them for 
execution when specified conditions occur. Thus, unlike all of the prior art cited, the present 
invention does not require the execution of these security policy rules each time the main software is 
run. 

All of the independent claims clearly point out this important distinction, although they use 
slightly different language to do so. For example, amended claim 8 recites: " integrating said rules 
into said data access management software such that said specified data transactions are 
prohibited, wherein said rules are not integrated with said data access management software prior 
to said occurrence of said specified action ." Similarly, independent claim 10 recites "upon a first 
specified condition occurring, modifying data access management software to include a rule that 
prohibits a known party from accessing specified information in a database or file . . . upon a second 
specified condition occurring, removing said rule from the data access management software and 
storing said rule for fiiture use." (underlining added). In other words, the rules are independent of 
the main software, and are only loaded into program memory when they should execute. 

This concept is described in applicant's original specification, for example, at pages 3-5 
and Figure 1. This unique feature is not described in any of the cited prior art. With one 
exception, all of the cited art appears to relate to security policies that are enforced with a static set 
of code that perft>rms various tests and prohibitions. 

As best applicant can tell from review of the cited references, only Hudson '637 relates in 
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any way to a dynamic policy. However, Hudson implements the same fixed security policy 



applicable to a user for the duration of the user's session, (col. 1-2) It is "dynamic" only in the 
sense that it lasts for a user session. Hudson does'hot continue to monitor conditions and load rules 
from a remote source upon conditions occurring during the user's session. Accordingly, none of 
the prior art teaches applicant's system of storing the rules separately, monitoring the system for 
the occurrence of specified conditions, and then loading rules in and out of memory as conditions 
come into being and cease from existence. 

Applicant therefore respectfully requests reconsideration and allowance in view of the above 
remarks and amendments. The Examiner is authorized to deduct additional fees believed due from 
our Deposit Account No. 11-0223. 



Respectfully submitted, 



KAPLAN OILMAN GIBSON DERNIER LLP 
900 Route 9 North, 5^^ Floor 
Woodbridge, New Jersey 07095 
Telephone (732) 6/4-7634 




Dated: April 10, 2006 



Jeffrey I. 
(Reg. No 
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